Periodically we get reports into the MSRC of stack exhaustion in client-side applications such as Internet Explorer, Word, etc. These are valid stability bugs that, fortunately, do not lead to an exploitable condition by itself (no potential for elevation of privilege). We wanted to clarify the distinction between stack exhaustion and stack buffer overflow. Stack buffer overflows often lead to elevation of privilege. Unfortunately, the literature tends to use stack overflow to refer to both cases, hence the confusion. The error code STATUS_STACK_BUFFER_OVERRUN (0xc0000409) refers to a stack buffer overflow while the error code STATUS_STACK_OVERFLOW (0xc00000fd) refers to stack exhaustion.

On Bugtraq this morning, there was a public post of a stack exhaustion bug that, fortunately, does not lead to arbitrary code execution. Let's take a closer look at it and a few other examples. We'll start with today's Bugtraq posting:

<INPUT type="text" name="A" value="CCCCCCCCCCCCCCCCCCCC(many thousands)”>

When IE attempts to parse this HTML, it runs out of stack space. Hooking up Windbg, you will observe the following first-chance exception:

(f9c.5b8): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0337304c ecx=09410040 edx=0007c3c0 esi=00000000 edi=0346b800
eip=77f66627 esp=03373000 ebp=03373000 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
77f66627 56              push    esi

The stack is simply exhausted and there is no possibility of running arbitrary code in this case. Let’s look at a few others.

The next issue was also reported in IE recently:

<SCRIPT> 
foo = new Array();
while(true) {foo = new Array(foo).sort();}
</SCRIPT> 

Again, the HTML has requested an extra-ordinary amount of stack space. IE attempts to allocate space and it eventually runs out. Unable to process the HTML, it returns a stack overflow / exhaustion error (0xc00000fd).

One last example is from April 2008 and, again, it leads to a stack overflow/exhaustion error (0xc00000fd):

var str = "aaaaaaaaaaaaaaa(many thousands)”
document.myform.text.value = str
document.myform.submit()

<form name='myform'>
<input name='text' type='text' />
<input name='Submit' type='submit' />
</form>

As you can see, there are several ways of reaching a stack exhaustion condition. Fortunately, these are stability issues that by themselves cannot lead to remote code execution. This happens when a parsing client-side application cannot allocate enough stack space to complete an operation (as shown in the examples here where a web page was attempting to allocate as much stack as possible and eventually runs out of space).

We are always happy to triage bugs sent to secure@microsoft.com. Please send them in to us. We are definitely committed to engineering and security excellence. We evaluate every report and determine whether to service them as security issues or whether to hand them off to the product team to fix as reliability and stability issues. For each security issues, we will triage against the SDL bug bar (link to sample bug bar) and address via the MSRC security bulletin process. All issues (such as these stack exhaustion bugs) that are stability or reliability issues are triaged according to customer impact and addressed in future releases of the product.

Update Jan 29: Thanks to Mark Dowd for pointing out that stack exhaustion bugs might have a security impact if combined with a buffer overrun bug. You can read more about his research at https://www.blackhat.com/presentations/bh-usa-07/Dowd_McDonald_and_Mehta/Whitepaper/bh-usa-07-dowd_mcdonald_and_mehta.pdf

- Jonathan Ness, SVRD blogger

*Posting is provided "AS IS" with no warranties, and confers no rights.*

References:

STATUS_STACK_OVERFLOW (0xc00000fd ):


STATUS_STACK_BUFFER_OVERRUN (0xc0000409):